Because Beta Apps are not fully developed, they are not officially supported by Sumo Logic Support, and documentation instructions are not final. To provide feedback, report a bug, or get help, log into the Sumo Logic Community, and post to the topic for your Beta App.

This page provides instructions for configuring log collection for the Observable Network App, as well as relevant log and query samples.

The Observable Networks App allows you to monitor your Observable Networks deployment from Sumo Logic. From Sumo Logic, you can set up forwarding for log monitoring and authentication logs to Observable Networks. With log monitoring, Observable Networks can notify you when a collector is missing, exposing gaps in your log coverage. Authentication log forwarding allows for more accurate and detailed alerts, using Sumo Logic log data to provide extra richness to Observable's Dynamic Endpoint Modeling algorithms.

Observable Networks is a provider of network security technology and advanced threat detection services that identify compromised and misused networked devices. Observable's Dynamic Endpoint Modeling technology includes a cloud-based service platform incorporating automated security analytics and real-time traffic sensors to continuously model all devices on a network. Endpoint modeling is based on network traffic flow metadata and is indifferent to encryption. Observable makes it easy to readily understand normal and abnormal device behaviors, helping to identify compromised devices and facilitate faster remediation.

Configure Log Monitoring (optional)

If you have Sumo Logic API access, you can integrate Observable Networks and Sumo Logic even further. You can configure Observable Networks to identify devices on your network that do not have Collectors installed. Additionally, Observable Networks can parse authentication log ("auth.log") data from certain Linux distributions (e.g., Ubuntu) to monitor user access.

Identify Missing Collectors

You can configure the Observable Networks portal to expect certain roles in the network to have corresponding log files. For example, you might expect a Terminal Server to capture an auth.log. When you configure this expectation, Observable will alert when a role is missing an expected log file, notifying you that there is a gap in your log coverage.